bpo-43434: Creating a sqlite3.Connection object now also produces a
sqlite3.connect auditing event. Previously this event was only produced
by sqlite3.connect() calls. Patch by Erlend E. Aasland.
bpo-43882: The presence of newline or tab characters in parts of a URL
could allow some forms of attacks.Following the controlling specification
for URLs defined by WHATWG urllib.parse() now removes A SCII newlines
and tabs from URLs, preventing such attacks.
bpo-43472: Ensures interpreter-level audit hooks receive the cpython.
PyInterpreterState_New event when called through the _xxsubinterpreters
module.
bpo-36384: ipaddress module no longer accepts any leading zeros in IPv4
address strings. Leading zeros are ambiguous and interpreted as octal
notation by some libraries. For example the legacy function socket.inet_aton()
treats leading zeros as octal notatation. glibc implementation of modern
inet_pton() does not accept any leading zeros. For a while the ipaddress
module used to accept ambiguous leading zeros.
bpo-43075: Fix Regular Expression Denial of Service (ReDoS) vulnerability
in urllib.request.AbstractBasicAuthHandler. The ReDoS-vulnerable regex has
quadratic worst-case complexity and it allows cause a denial of service
when identifying crafted invalid RFCs. This ReDoS issue is on the client
side and needs remote attackers to control the HTTP server.
bpo-42800: Audit hooks are now fired for frame.f_code, traceback.tb_frame,
and generator code/frame attribute access.